date: “2016-12-01” draft: false title: “listdlls”
Reports the DLLs loaded into processes, without any filters or flags the results are likely to be in the order in which the dlls were loaded.
Examples
| command | description |
|---|---|
listdlls <NAME/PID> |
list loaded dlls of process by name or pid |
listdlls -d <MODULE>.dll |
list process with MOUDLE dll loaded |
listdlls -u |
show only unsigned dlls |
listdlls -v |
show dll version numbers |
listdlls | find “Command” |
show only the Command line: output |
Man
listdlls [-r] [-v | -u] [processname|pid]
listdlls [-r] [-v] [-d dllname]
processname Dump DLLs loaded by process (partial name accepted).
pid Dump DLLs associated with the specified process id.
dllname Show only processes that have loaded the specified DLL.
-r Flag DLLs that relocated because they are not loaded at their base address.
-u Only list unsigned DLLs.
-v Show DLL version information
-d dllname
EXAMPLES
view all the Dlls that have been loaded by the command shell process
listdlls cmd.exe
display the DLLs that are loaded by notepad.exe using the process ID
tasklist /FI "imagename eq notepad.exe" will give you the PID
listdlls notepad.exe will also give you PID
pslist notepad (will match any Fragment i.e. note
listdlls 2552
display all the processes that have loaded the WOW64.dll loaded
listdlls -d wow64.dll
List process that is using a dll (must have pid from dll)
listdlls <pid> i.e. listdlls 780